Attention Turns to FBI’s ‘Outside Party’

The FBI’s motion for a continuance in its case against Apple has opened a new avenue in this debate as to the identity and means by which the mystery “outside party” could unlock terrorist Syed Farook’s iPhone.

Late yesterday afternoon, the FBI filed a motion to vacate a hearing scheduled for today in a Riverside, Calif., courtroom. The filing indicates that the FBI could have a way onto the phone without Apple’s help and that it will file a status report with the courts by April 5, which is two weeks from today.

The Department of Justice, in a statement provided to Threatpost, said that it has continued its efforts to crack the encryption and access data stored on Farook’s phone during the litigation against Apple, which became public Feb. 16.

“As a result of these efforts, an outside party demonstrated to the FBI this past weekend a possible method for unlocking the phone. We must first test this method to ensure that it doesn’t destroy the data on the phone, but we remain cautiously optimistic,” DOJ spokewoman Melanie Newman said in a statement. “That is why we asked the court to give us some time to explore this option. If this solution works, it will allow us to search the phone and continue our investigation into the terrorist attack that killed 14 people and wounded 22 people.”

If the DOJ is not able to crack the phone on its own, it can always revisit the case in court, but for now, the case against Apple and this one phone is on hold. In the meantime, it would seem that the FBI’s decision to stay the case reinforces the theory of legal and privacy experts, that this case was never solely about accessing what’s on Farook’s phone, but more so about setting a legal precedent that would allow the government to use this decision to crack other phones. It also confirms that Apple’s expertise is not the only means by which the data can be accessed. In fact, experts have made this case on many fronts, including extreme cases using silicon-based hardware attacks.

Forensics expert Jonathan Zdziarski wrote yesterday that the outside party is likely a forensics or data recovery firm outside the U.S. government, while ruling out independent security researchers or a jailbreak. Rather than attempting potentially destructive hardware-based attacks, Zdziarski wrote that a NAND mirroring technique is much more likely the means by which this outside party could get onto the phone. NAND is a type of flash memory that stores data even without power to a device or the chip. By mirroring the chip, Zdziarski said the FBI and its outside party could perform offline brute-force attacks against the four-digit passcode without causing the phone to wipe itself.

I assume the FBI has found someone to clone and reflash the NVRAM of the San Bernardino iPhone. They should have done it a month ago.

“This is where the NAND chip is desoldered (usually), dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations. It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”

Zdziarski also described other methods that can possibly used against older iPhones, including invasive techniques that prevent writing of incorrect PIN guesses to the disk. Apple patched against this technique in iOS, but Zdziarski said that NAND mirroring could be a way around the fix for newer versions of the phone. On older devices such as Farook’s, this is a moot point since they’re not protected by Apple’s Secure Enclave.

“The two weeks the FBI has asked for are not to develop this technique (it’s likely already been developed), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units,” Zdziarski wrote. “This shouldn’t be a surprise to anyone, as it’s a fairly straightforward technique. It’s also a technique that wouldn’t work in an A7 or newer iPhone that has a Secure Enclave. More importantly, this technique wouldn’t work at all had Farook used a complex alphanumeric passcode. The weak link in all of this has been Farook and his poor choice of security.”

It’s also not out of the question that the FBI or the government has purchased or has access to a zero-day exploit that it could use in this case. While less likely, the FBI could postpone the case indefinitely, or drop it altogether, in order to avoid having to disclose its technique should Apple request it under discovery. Experts have also speculated about the NSA’s silence in this case in a similar vein that it would not want to give up an effective attack against iOS in open court.

In the meantime, anxious technology providers beyond Apple will have to wait a bit longer to see how this plays out.

“This may be more than just a routine extension of time. The FBI’s motion acknowledges that it may have other avenues to pursue in accessing the data on the phone, something that it must do under the law,” said Electronic Frontier Foundation director Cindy Cohn. “It could also provide a way for the FBI to get out of a very public battle it provoked over an extremely contentious issue: how and when tech companies can be forced to rewrite their software to facilitate surveillance.”

Countries are now leaning towards having their citizens data located in data centers within their own country. Apple definitely wants in on China. Now, if the Chinese government wants what the FBI wants, what do you think Apple is going to do?
Secondly, although I am an EE, and been in an area of reverse engineering things, I do not see anything technically impossible to extract the data from the phone. I often wonder if this is just some ruse.

“The Apple ID passcode linked to the iPhone belonging to one of the San Bernardino terrorists was changed less than 24 hours after the government took possession of the device, senior Apple executives said Friday. If that hadn’t happened, Apple said, a backup of the information the government was seeking may have been accessible…”

“So Apple is arguing that the Apple ID of the iPhone was changed after the government took possession, meaning the FBI could have had access to the data it’s seeking. Apple adds that otherwise it previously proposed solutions that wouldn’t include building a the “backdoor” the FBI is after.”

“In response to DOJ filing earlier, sr. Apple exec. says company has not said that unlocking an iPhone is technically possible – DJ”

I have just realised (The UK spelling) shouldn’t the 3rd party hacking the iPhone for the FBI either; should have authorization from Apple to do so or obtained a court order to hack Apple’s phone, because couldn’t Apple then prosecute the third party?

Who takes the responsibility if the patch gets into terrorists’- and criminals’ hands especially for example directly or indirectly via any of the security forces or governments?